Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Drop in Web App Flaws in 2016, Likely Not a Sign of Improved Security

Flaws in Web applications declined in 2016, but this doesn't reflect an improvement in software security because the number of vulnerabilities in other application types is set to increase, security firm says.

WEBINAR:On-Demand

The number of vulnerabilities reported in Web applications decreased slightly in 2016 over the previous year, with flaws in popular content-management systems dramatically declining, security firm Imperva stated in an analysis released last week.

While the decrease in Web vulnerabilities could be considered a sign of improving security for online applications, Nadav Avital, technical lead for Imperva's application security research team, told eWEEK, that's unlikely to be the case.

The fast-changing software landscape—with industrial control systems, the Internet of Things and mobile applications all relatively fertile fields of vulnerability research—is more likely attracting attention from security researchers, and away from Web applications, he said.

"Vulnerability researchers are always looking for the easy prey," he said. "It is always easier to find vulnerabilities in stuff that has little security or no security—this is an explanation that we feel much more comfortable with."

Further reading

Newer programming languages seem to have attracted more attention from security researchers. Both PHP—the latest major version of which was released in December 2015—and Ruby saw an increase in reported vulnerabilities last year. Older languages, such as Java and .NET, saw fewer in 2016.

Content management systems, such as Drupal and Wordpress, saw fewer vulnerabilities in 2016 than the previous year. The number of Drupal vulnerabilities dropped by almost a factor of 10, while Wordpress saw the number of flaws affecting the platform drop in half, according to Imperva data.

Issues with popular plugins continued to hamper the publishing platforms, however.

"You do not see vulnerabilities in the core applications themselves," Avital said. "And this is part of the problem. You have thousands of these add-ons."

More than a quarter of vulnerabilities—27 percent—were considered by Imperva to be especially high risk. The company manually reviews vulnerabilities to identify the severe issues and mitigate their potential impact.

Of the flaws analyzed by Imperva, the greatest number—but not the majority—could allow an attacker to conduct a denial-of-service attack. Cross-site scripting and buffer overflows were the second and third most common attacks enabled by reported vulnerabilities, according to Imperva.

Web-application vulnerabilities were not the most exploited issues, according to another firm's research. In December, data-analytics firm Recorded Future listed the most-exploited vulnerabilities for the year. Of the top-10 software issues, six affected Adobe Flash, two involved Microsoft's Explorer web browser, one affected Windows and another the last version of Microsoft’s Silverlight.

The top-10 exploited vulnerabilities were completely different from the previous year, showing that exploit kits cycle through vulnerabilities quickly, switching to newer issues to remain effective against adapting defenses.

"The teams behind these exploit kits continue to add fresh exploits for software as increased effectiveness in delivering the ‘customer’s’ payload will generate more revenue," the company said.

Unlike the Imperva research, Recorded Future did not focus on Web attacks, but exploit kits that attempted to compromise—mostly—Windows machines.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.